Ambient authority
From Erights
(→Examples of ambient authority) |
|||
Line 14: | Line 14: | ||
If we consider UNIX processes run by some user as [[subject]]s and files owned by that user as [[object]]s then all processes have ''ambient authority'' to manipulate all those files. | If we consider UNIX processes run by some user as [[subject]]s and files owned by that user as [[object]]s then all processes have ''ambient authority'' to manipulate all those files. | ||
- | If we consider UNIX processes as [[subject]]s and TCP ports 1024--65535 as [[object]]s then all processes have ''ambient authority'' to listen to any ports. | + | If we consider UNIX processes as [[subject]]s and TCP ports 1024--65535 as [[object]]s then all processes have ''ambient authority'' to listen to any TCP ports. |
+ | |||
+ | If we consider UNIX processes as [[subject]]s and UDP ports 1024--65535 as [[object]]s then all processes have ''ambient authority'' to listen to any UDP ports. | ||
If we consider UNIX processes run by some user as [[subject]]s and all executable programs owned by that user as [[object]]s then all these processes have ''ambient authority'' to run any of those programs. | If we consider UNIX processes run by some user as [[subject]]s and all executable programs owned by that user as [[object]]s then all these processes have ''ambient authority'' to run any of those programs. |
Revision as of 12:28, 11 June 2009
Definition
If a subject can operate on all objects of a given type, we say that it has ambient authority.
Comment
Several access control models were invented and implemented to enable restriction of ambient authority of subjects. Many of them are:
- either weak (we cannot follow the principle of least authority)
- or convoluted (it is hard to learn how to work with this model and be sure about authority of subjects).
Things become more "interesting" if we have to consider different security policies enforced via different alternative security mechanisms for the same type of objects and for different type of objects and the relevant transitivity relationship.
Examples of ambient authority
If we consider UNIX processes run by some user as subjects and files owned by that user as objects then all processes have ambient authority to manipulate all those files.
If we consider UNIX processes as subjects and TCP ports 1024--65535 as objects then all processes have ambient authority to listen to any TCP ports.
If we consider UNIX processes as subjects and UDP ports 1024--65535 as objects then all processes have ambient authority to listen to any UDP ports.
If we consider UNIX processes run by some user as subjects and all executable programs owned by that user as objects then all these processes have ambient authority to run any of those programs.
If we consider all functions defined in some C program as subjects and all functions in the same C program as objects then any function has ambient authority to call any other function (in C we can cast any integer to a function pointer and perform the call operation with this forged reference to a function).
If we consider all functions defined in some C program as subjects and all regions of the address space of the relevant process as objects then all these functions have ambient authority to read from or write to any such memory region.
If we consider all processes in UNIX as subjects and also as objects then all UNIX processes have ambient authority to send any signal to any other process.